[exim.git] / test / aux-fixed / exim-ca / genall

#!/bin/bash
#

echo Ensure time is set to 2012/11/01 12:34
echo use -  date -u 110112342012
echo hit return when ready
read junk
for tld in com org net
do
    clica -D example.$tld -p password -B 1024 -I -N example.$tld -F \
	-C http://crl.example.$tld/latest.crl -O http://oscp/example.$tld/

    clica -D example.$tld -p password -s 101 -S server1.example.$tld \
	-8 alternatename.server1.example.$tld,alternatename2.server1.example.$tld
    clica -D example.$tld -p password -s 102 -S revoked1.example.$tld
    clica -D example.$tld -p password -s 103 -S expired1.example.$tld -m 1
    clica -D example.$tld -p password -s 201 -S server2.example.$tld
    clica -D example.$tld -p password -s 202 -S revoked2.example.$tld
    clica -D example.$tld -p password -s 203 -S expired2.example.$tld -m 1


    # openssl seems to generate a file (ca_chain.pam) in an order it
    # cannot then use (the key applies to the first cert in the file?).
    # Generate a shuffled one.
    cd example.$tld/server1.example.$tld
    openssl pkcs12 -in server1.example.com.p12 -passin file:pwdfile -cacerts -out cacerts.pem -nokeys
    cat server1.example.com.pem cacerts.pem > fullchain.pem
    rm cacerts.pem
    cd ../..
done

# and loop again
for tld in com org net
do
    CADIR=example.$tld/CA
    #give ourselves an OSCP key to work with
    pk12util -o $CADIR/OCSP.p12 -n 'OCSP Signer' -d $CADIR -K password -W password
    openssl pkcs12 -in $CADIR/OCSP.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/OCSP.key


    # create some index files for the ocsp responder to work with
    cat >$CADIR/index.valid.txt <<EOF
V	130110200751Z		65	unknown	CN=server1.example.$tld
V	130110200751Z		66	unknown	CN=revoked1.example.$tld
V	130110200751Z		67	unknown	CN=expired1.example.$tld
V	130110200751Z		c9	unknown	CN=server2.example.$tld
V	130110200751Z		ca	unknown	CN=revoked2.example.$tld
V	130110200751Z		cb	unknown	CN=expired2.example.$tld
EOF
    cat >$CADIR/index.revoked.txt <<EOF
R	130110200751Z	100201142709Z,superseded	65	unknown	CN=server1.example.$tld
R	130110200751Z	100201142709Z,superseded	66	unknown	CN=revoked1.example.$tld
R	130110200751Z	100201142709Z,superseded	67	unknown	CN=expired1.example.$tld
R	130110200751Z	100201142709Z,superseded	c9	unknown	CN=server2.example.$tld
R	130110200751Z	100201142709Z,superseded	ca	unknown	CN=revoked2.example.$tld
R	130110200751Z	100201142709Z,superseded	cb	unknown	CN=expired2.example.$tld
EOF

    # Now create all the ocsp requests and responses
    OGENCOMMON="-rsigner $CADIR/OCSP.pem -rkey $CADIR/OCSP.key -CA $CADIR/Signer.pem -noverify"
    for server in server1 revoked1 expired1 server2 revoked2 expired2
    do
	SPFX=example.$tld/$server.example.$tld/$server.example.$tld
	openssl ocsp -issuer $CADIR/Signer.pem -cert $SPFX.pem -reqout $SPFX.ocsp.req
	openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON   -ndays 3652 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.good.resp
	openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON   -ndays 30   -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.dated.resp
	openssl ocsp -index $CADIR/index.revoked.txt $OGENCOMMON -ndays 3652 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.revoked.resp
    done
done

# and loop again to generate unlocked keys and client cert bundles
for tld in com org net
do
    for server in server1 revoked1 expired1 server2 revoked2 expired2
    do
	SDIR=example.$tld/$server.example.$tld
	SPFX=$SDIR/$server.example.$tld
	openssl rsa -in $SPFX.key -passin file:$SDIR/pwdfile -out $SPFX.unlocked.key
	cat $SPFX.pem example.$tld/CA/Signer.pem >$SPFX.chain.pem
    done
done

echo Please to reset date to now.
echo service ntpdate start
echo 
echo Then hit return
read junk

# Create CRL files in .der and .pem
# empty versions, and ones with the revoked servers
for tld in com org net
do
    CADIR=example.$tld/CA
    CRLIN=$CADIR/crl.empty.in.txt
    DATENOW=`date -u +%Y%m%d%H%M%SZ`
    echo "update=$DATENOW " >$CRLIN
    crlutil -G -d $CADIR -f $CADIR/pwdfile \
	-n 'Signing Cert' -c $CRLIN -o $CADIR/crl.empty
    openssl crl -in $CADIR/crl.empty -inform der -out $CADIR/crl.empty.pem
done
sleep 2
for tld in com org net
do
    CADIR=example.$tld/CA
    CRLIN=$CADIR/crl.v2.in.txt
    DATENOW=`date -u +%Y%m%d%H%M%SZ`
    echo "update=$DATENOW " >$CRLIN
    echo "addcert 102 $DATENOW" >>$CRLIN
    echo "addcert 202 $DATENOW" >>$CRLIN
    crlutil -G -d $CADIR -f $CADIR/pwdfile \
	-n 'Signing Cert' -c $CRLIN -o $CADIR/crl.v2
    openssl crl -in $CADIR/crl.v2 -inform der -out $CADIR/crl.v2.pem
done

find example.* -type d -print0 | xargs -0 chmod 755
find example.* -type f -print0 | xargs -0 chmod 644

echo "CA, Certificate, CRL and OSCP Response generation complete"
Commit	Line	Data
f5d78688 JH	1	#!/bin/bash
	2	#
	3
	4	echo Ensure time is set to 2012/11/01 12:34
	5	echo use - date -u 110112342012
	6	echo hit return when ready
	7	read junk
	8	for tld in com org net
	9	do
2b4a568d JH	10	clica -D example.$tld -p password -B 1024 -I -N example.$tld -F \
	11	-C http://crl.example.$tld/latest.crl -O http://oscp/example.$tld/
	12
	13	clica -D example.$tld -p password -s 101 -S server1.example.$tld \
	14	-8 alternatename.server1.example.$tld,alternatename2.server1.example.$tld
f5d78688 JH	15	clica -D example.$tld -p password -s 102 -S revoked1.example.$tld
	16	clica -D example.$tld -p password -s 103 -S expired1.example.$tld -m 1
	17	clica -D example.$tld -p password -s 201 -S server2.example.$tld
	18	clica -D example.$tld -p password -s 202 -S revoked2.example.$tld
	19	clica -D example.$tld -p password -s 203 -S expired2.example.$tld -m 1
82525c6f JH	20
	21
	22	# openssl seems to generate a file (ca_chain.pam) in an order it
	23	# cannot then use (the key applies to the first cert in the file?).
	24	# Generate a shuffled one.
	25	cd example.$tld/server1.example.$tld
	26	openssl pkcs12 -in server1.example.com.p12 -passin file:pwdfile -cacerts -out cacerts.pem -nokeys
	27	cat server1.example.com.pem cacerts.pem > fullchain.pem
	28	rm cacerts.pem
	29	cd ../..
f5d78688 JH	30	done
	31
	32	# and loop again
	33	for tld in com org net
	34	do
	35	CADIR=example.$tld/CA
	36	#give ourselves an OSCP key to work with
	37	pk12util -o $CADIR/OCSP.p12 -n 'OCSP Signer' -d $CADIR -K password -W password
	38	openssl pkcs12 -in $CADIR/OCSP.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/OCSP.key
	39
	40
	41	# create some index files for the ocsp responder to work with
	42	cat >$CADIR/index.valid.txt <<EOF
	43	V 130110200751Z 65 unknown CN=server1.example.$tld
	44	V 130110200751Z 66 unknown CN=revoked1.example.$tld
	45	V 130110200751Z 67 unknown CN=expired1.example.$tld
	46	V 130110200751Z c9 unknown CN=server2.example.$tld
	47	V 130110200751Z ca unknown CN=revoked2.example.$tld
	48	V 130110200751Z cb unknown CN=expired2.example.$tld
	49	EOF
	50	cat >$CADIR/index.revoked.txt <<EOF
	51	R 130110200751Z 100201142709Z,superseded 65 unknown CN=server1.example.$tld
	52	R 130110200751Z 100201142709Z,superseded 66 unknown CN=revoked1.example.$tld
	53	R 130110200751Z 100201142709Z,superseded 67 unknown CN=expired1.example.$tld
	54	R 130110200751Z 100201142709Z,superseded c9 unknown CN=server2.example.$tld
	55	R 130110200751Z 100201142709Z,superseded ca unknown CN=revoked2.example.$tld
	56	R 130110200751Z 100201142709Z,superseded cb unknown CN=expired2.example.$tld
	57	EOF
	58
	59	# Now create all the ocsp requests and responses
	60	OGENCOMMON="-rsigner $CADIR/OCSP.pem -rkey $CADIR/OCSP.key -CA $CADIR/Signer.pem -noverify"
	61	for server in server1 revoked1 expired1 server2 revoked2 expired2
	62	do
	63	SPFX=example.$tld/$server.example.$tld/$server.example.$tld
	64	openssl ocsp -issuer $CADIR/Signer.pem -cert $SPFX.pem -reqout $SPFX.ocsp.req
2b4a568d JH	65	openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON -ndays 3652 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.good.resp
	66	openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON -ndays 30 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.dated.resp
	67	openssl ocsp -index $CADIR/index.revoked.txt $OGENCOMMON -ndays 3652 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.revoked.resp
f5d78688 JH	68	done
	69	done
	70
	71	# and loop again to generate unlocked keys and client cert bundles
	72	for tld in com org net
	73	do
89f2a269 JH	74	for server in server1 revoked1 expired1 server2 revoked2 expired2
89f2a269 JH	75	do
f5d78688 JH	76	SDIR=example.$tld/$server.example.$tld
	77	SPFX=$SDIR/$server.example.$tld
	78	openssl rsa -in $SPFX.key -passin file:$SDIR/pwdfile -out $SPFX.unlocked.key
	79	cat $SPFX.pem example.$tld/CA/Signer.pem >$SPFX.chain.pem
	80	done
	81	done
	82
	83	echo Please to reset date to now.
	84	echo service ntpdate start
	85	echo
	86	echo Then hit return
	87	read junk
	88
	89	# Create CRL files in .der and .pem
	90	# empty versions, and ones with the revoked servers
	91	for tld in com org net
	92	do
	93	CADIR=example.$tld/CA
	94	CRLIN=$CADIR/crl.empty.in.txt
	95	DATENOW=`date -u +%Y%m%d%H%M%SZ`
	96	echo "update=$DATENOW " >$CRLIN
	97	crlutil -G -d $CADIR -f $CADIR/pwdfile \
	98	-n 'Signing Cert' -c $CRLIN -o $CADIR/crl.empty
	99	openssl crl -in $CADIR/crl.empty -inform der -out $CADIR/crl.empty.pem
	100	done
	101	sleep 2
	102	for tld in com org net
	103	do
	104	CADIR=example.$tld/CA
	105	CRLIN=$CADIR/crl.v2.in.txt
	106	DATENOW=`date -u +%Y%m%d%H%M%SZ`
	107	echo "update=$DATENOW " >$CRLIN
	108	echo "addcert 102 $DATENOW" >>$CRLIN
	109	echo "addcert 202 $DATENOW" >>$CRLIN
	110	crlutil -G -d $CADIR -f $CADIR/pwdfile \
	111	-n 'Signing Cert' -c $CRLIN -o $CADIR/crl.v2
	112	openssl crl -in $CADIR/crl.v2 -inform der -out $CADIR/crl.v2.pem
	113	done
	114
89f2a269 JH	115	find example.* -type d -print0 \| xargs -0 chmod 755
	116	find example.* -type f -print0 \| xargs -0 chmod 644
	117
f5d78688	118	echo "CA, Certificate, CRL and OSCP Response generation complete"